LabEx
Log InJoin Free

Specify Targets for Scanning in Nmap

NmapBeginner
Practice Now

Introduction

In this lab, you will learn how to specify targets for scanning in Nmap, a free and open - source network scanner. The lab covers various scanning scenarios, including scanning the localhost using the IP address 127.0.0.1, scanning an IP range (e.g., 192.168.1.1 - 10), scanning a subnet (e.g., 192.168.1.0/24), creating a target list in Xfce and scanning it, excluding specific IPs from a scan, and verifying the results in the Xfce terminal.

Scan localhost with nmap 127.0.0.1

In this step, you will learn how to use Nmap to scan your own machine, also known as localhost. Scanning localhost is a fundamental step in network security and helps you understand what services are running on your machine and whether they are vulnerable.

Before we begin, let's briefly discuss what localhost and Nmap are:

  • Localhost: This is a hostname that refers to the current computer being used. It uses the IP address 127.0.0.1. When you scan localhost, you are essentially scanning your own machine.
  • Nmap: This is a free and open-source network scanner. It is used to discover hosts and services on a computer network by sending packets and analyzing the responses.

To scan localhost using Nmap, follow these steps:

  1. Open the Xfce terminal. The terminal is your gateway to interacting with the Linux operating system.

  2. Type the following command and press Enter:

    nmap 127.0.0.1

    This command tells Nmap to scan the IP address 127.0.0.1, which is localhost.

  3. Observe the output. Nmap will display a list of open ports and services running on your machine. The output will look similar to this:

    Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 09:10 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000096s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
2121/tcp open  ccproxy-ftp
2222/tcp open  EtherNetIP-1
3001/tcp open  nessus
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds

    The output shows the open ports on your machine and the services associated with those ports. For example, port 22 is typically used for SSH, port 8080 for HTTP proxy, and so on. The STATE column indicates whether the port is open, closed, or filtered.

    Note: The specific ports and services that are listed will vary depending on the configuration of your machine.

Scan IP range with nmap 192.168.1.1-10

In this step, you will learn how to scan a range of IP addresses using Nmap. Scanning an IP range is useful for discovering active hosts within a network segment.

Before we proceed, let's understand what an IP range is:

  • IP Range: An IP range is a consecutive set of IP addresses. For example, 192.168.1.1-10 represents the IP addresses from 192.168.1.1 to 192.168.1.10, inclusive.

To scan the IP range 192.168.1.1-10 using Nmap, follow these steps:

  1. Open the Xfce terminal.

  2. Type the following command and press Enter:

    nmap 192.168.1.1-10

    This command instructs Nmap to scan all IP addresses from 192.168.1.1 to 192.168.1.10.

  3. Observe the output. Nmap will display a scan report for each IP address in the specified range. The output will look similar to this:

    Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 09:11 CST
Nmap done: 10 IP addresses (0 hosts up) scanned in 5.04 seconds

    The output shows the status of each IP address in the range. In this case, no hosts were found to be up in the 192.168.1.1-10 range. If hosts were up, Nmap would display the open ports and services running on those hosts.

    Note: The specific IP addresses, ports, and services that are listed will vary depending on your network configuration. Also, some hosts might be configured to block Nmap scans, so they may appear as down even if they are actually up.

Scan subnet with nmap 192.168.1.0/24

In this step, you will learn how to scan an entire subnet using Nmap. Scanning a subnet is a common task for network administrators and security professionals to discover all active hosts within a network.

Before we begin, let's clarify what a subnet and CIDR notation are:

  • Subnet: A subnet is a logical subdivision of an IP network. It allows you to divide a larger network into smaller, more manageable pieces.
  • CIDR Notation: CIDR (Classless Inter-Domain Routing) notation is a compact way to represent an IP address and its associated routing prefix. In the example 192.168.1.0/24, 192.168.1.0 is the network address, and /24 indicates the subnet mask. A /24 subnet mask means that the first 24 bits of the IP address are used for the network address, leaving the remaining 8 bits for host addresses. This allows for 256 (2^8) total addresses, with 192.168.1.0 being the network address and 192.168.1.255 being the broadcast address. Usable host addresses range from 192.168.1.1 to 192.168.1.254.

To demonstrate subnet scanning with Nmap, we'll use a more practical approach:

  1. Open the Xfce terminal.

  2. First, let's try a quick ping scan to see if there are any responsive hosts in the subnet. Type the following command and press Enter:

    nmap -sn 192.168.1.0/24

    The -sn option performs a "ping scan" (host discovery only) without port scanning, which is much faster.

  3. If the ping scan takes too long or shows no results, you can interrupt it with Ctrl+C and try a smaller range instead:

    nmap -sn 192.168.1.1-20

    This scans only the first 20 IP addresses in the range, which is more manageable.

  4. For demonstration purposes, let's scan a smaller subnet that includes localhost. Try this command:

    nmap 127.0.0.0/30

    This scans a very small subnet (only 4 addresses: 127.0.0.0, 127.0.0.1, 127.0.0.2, 127.0.0.3) and should complete quickly:

    Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 09:11 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000096s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
2121/tcp open  ccproxy-ftp
2222/tcp open  EtherNetIP-1
3001/tcp open  nessus
8080/tcp open  http-proxy

Nmap done: 4 IP addresses (1 host up) scanned in 0.15 seconds

    Note: Scanning large subnets like 192.168.1.0/24 (256 addresses) can take a very long time and may be blocked by network policies in virtualized environments like LabEx. It's often more practical to scan smaller ranges or use host discovery options first to identify active targets before performing detailed port scans.

Use targets.txt file and scan with nmap -iL targets.txt

In this step, you will learn how to use a target list file with Nmap to scan multiple hosts. This is useful when you have a predefined list of IP addresses or hostnames that you want to scan.

Here's how to use the pre-created targets.txt file with Nmap:

  1. Open the Xfce terminal.

  2. First, let's check the contents of the targets.txt file that has been prepared for you. Type the following command and press Enter:

    cat ~/project/targets.txt

    This will display the contents of the file:

    127.0.0.1
192.168.1.1
192.168.1.2

    The file contains three IP addresses that we will scan: localhost (127.0.0.1) and two IP addresses from the 192.168.1.x range.

  3. Now, use Nmap to scan the IP addresses listed in the targets.txt file. Type the following command and press Enter:

    nmap -iL ~/project/targets.txt

    The -iL option tells Nmap to read the target list from the specified file. In this case, it will read the IP addresses from the ~/project/targets.txt file.

  4. Observe the output. Nmap will display a scan report for each IP address in the targets.txt file. The output will look similar to this:

    Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 09:13 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00011s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
2121/tcp open  ccproxy-ftp
2222/tcp open  EtherNetIP-1
3001/tcp open  nessus
8080/tcp open  http-proxy

Nmap done: 3 IP addresses (1 host up) scanned in 1.25 seconds

    The output shows the status of each IP address in the targets.txt file. In this case, only localhost (127.0.0.1) was found to be up, while the other IP addresses (192.168.1.1 and 192.168.1.2) were not reachable in the LabEx environment.

Exclude IP with nmap 192.168.1.0/24 --exclude 192.168.1.5

In this step, you will learn how to exclude specific IP addresses from an Nmap scan. This is useful when you want to scan a subnet but need to skip certain hosts, such as network devices or servers that you don't have permission to scan.

To exclude the IP address 192.168.1.5 from the 192.168.1.0/24 subnet scan, follow these steps:

  1. Open the Xfce terminal.

  2. Type the following command and press Enter:

    nmap 192.168.1.0/24 --exclude 192.168.1.5

    The --exclude option tells Nmap to exclude the specified IP address from the scan. In this case, it will exclude 192.168.1.5 from the 192.168.1.0/24 subnet scan.

  3. Observe the output. The scan will start and may show minimal output due to network configuration in the LabEx environment:

    Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-03 09:13 CST

    The scan will attempt to check all IP addresses in the subnet except for 192.168.1.5. This means Nmap will scan 255 IP addresses instead of 256, because 192.168.1.5 was excluded.

    Note: In the LabEx environment, the scan may be interrupted or filtered by network security policies. The specific IP addresses, ports, and services that are listed will vary depending on your network configuration. Also, some hosts might be configured to block Nmap scans, so they may appear as down even if they are actually up.

Summary

In this lab, you learned how to specify targets for scanning in Nmap. You started by scanning the localhost using the command nmap 127.0.0.1, which identified several running services including SSH (port 22), ccproxy-ftp (port 2121), EtherNetIP-1 (port 2222), nessus (port 3001), and http-proxy (port 8080). You also learned to scan an IP range with nmap 192.168.1.1-10, which showed no active hosts in the LabEx environment. For subnet scanning, you learned practical approaches including using ping scans (nmap -sn) for host discovery and scanning smaller subnets like 127.0.0.0/30 for faster results. You used a pre-created targets.txt file to scan multiple targets with nmap -iL targets.txt, which successfully scanned localhost but found the other IP addresses unreachable. Finally, you learned to exclude a specific IP from a subnet scan using nmap 192.168.1.0/24 --exclude 192.168.1.5. These exercises demonstrated various ways to specify scan targets and the importance of using appropriate scanning techniques for different network environments.

Related Nmap Courses
Nmap for Beginners

Nmap for Beginners

cybersecuritynmaplinux
Hands-On Network Scanning with Nmap on Linux

Hands-On Network Scanning with Nmap on Linux

cybersecuritynmaplinux
Nmap Scanning and Telnet Access

Nmap Scanning and Telnet Access

cybersecuritynmaplinux